use a pure eBPF service? • Not mature enough eBPF brief • Write C • Compile into eBPF assembly code • Inject to kernel • Attach to network tc hooks • Triggered by ingress/egress packets IPVS bypass map id is passed to IPVS module • Ip_vs_new_conn() inserts eBPF map • Key: (protocol, cip:cport , rsip:rsport) • Value: (protocol, lip:lport, rsip:rsport) • Ip_vs_conn_unlink() deletes entries in eBPF https://careers.tencent.com/home.html Bugs solved – 1/2 • IPVS conn_reuse_mode=1 low cps Ip_vs_conn nf_conn New ip_vs_conn Bugs solved – 2/2 • DNS resolution delays for 5s Iptables SNAT Conntrack insert

b Compiler + Containerizer github.com/GoogleContainerTools/jib Code Executable Compile github.com/GoogleContainerTools/jib Code Executable Compile Java Container Containerize github.com/G total time layer 4 cached cached github.com/GoogleContainerTools/jib Jib vs Docker github.com/GoogleContainerTools/jib Jib vs Docker github.com/GoogleContainerTools/jib Reproducibility github.com facilitates continuous development for Kubernetes applications. You can iterate on your application source code locally then deploy to local or remote Kubernetes clusters. Skaffold handles the workflow for building

Affiliates. All rights reserved. Amazon Confidential 容器安全模型: 深层防护 • full blown distro (Ubuntu, AL) vs. minimal environment (container- optimized distribution) • multi-tenancy requirements • gotchas: unnecessary privileged users, no scans, trust • code analysis • source available? • gotchas: big surface, many languages { } } • sanitizing user input • static code analysis • gotchas: log-leaking} • sensitive Identifiable Information (PII) • gotchas: leaks, GDPR (in Europe) { host container dependencies code config user data © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon

resilient systems at scale” (Jez Humble) • Applying Agile practices to operations • Infrastructure as code • Ops teams embracing source control (git) • Automated testing • Repeatable/consistent • CI/CD • canary release of Models • Comparing Production accuracy vs expected accuracy when possible • Rolling-updates • … Resources • Source code for this talk: https://github.com/ritazh/kubecon-ml • Kubeflow

report code code review PR workflow git workflow CI bot/commands https://prow.k8s.io/command-help /approve /cc /lgtm /assign /retest /kind bug /hold /lint joke/shrug cats vs dogs A short

releases $ heroku pipeline $ rio run $ rio scale $ rio weight/promote $ rio route $ rio up riofile 抽象程度 vs 可扩展性 • 随着抽象程度的增高可以显著降低学习曲线，但是却不得不在扩展性上妥协 抽象程度 可扩展性 高 低 低 高 CRD + Controllers = Everything 通过编写遵循严格限制 Controller Kubernetes metrics traffic Workloads (YAML) Continuous Delivery is in k8s now! code 三者结合呢？ • 基于 CUE 的客户端抽象 • 基于 OAM 的应用模型 • 围绕 GitOps 的持续交付 = “以应用为中心”的 K8s KubeVela Git (as source Controller Rollout Controller GitOps OAM K8s Plugin + CUE Abstraction Processor Kubernetes traffic code Raw k8s API resources 面向应用开发者的 appfile • 基于 CUE 进行抽象 • 兼容 OAM Spec metrics Deployment Controller

{error proto file} --go-errors_out={output directory} • 实现我们自定义的error类型，方便断言。 • 根据注解的code信息，在错误码中生成对应的grpc status code • 确保错误码唯一，后续在API层响应用户数据确保唯一错误码，例如: 下单失败(1008) • errors里设置with message，携带更多的错误信息 微服务的开发阶段 -name:X-Health-Check value: 1 微服务的调用阶段 Resolver Balancer Auth Context • Kubernetes DNS Resolver VS Kubernetes API Server Resolver • DNS resolver is builtin in gRPC framework and its out-of-box for

Controller • Level driven, not edge driven edge level Image: https://speakerdeck.com/thockin/edge-vs-level-triggered-logic Controller • The heart of Kubernetes orchestrator • drives the cluster state mins) 2.The heart of Kubernetes orchestration: Controller 3.Write your own Controller with CRD 4.code gen for deep copy, API conversion, API doc, encoding/decoding etc 5.gRPC based interface (e.g. CRI)

eth; 4.kube-proxy跟据svc yaml创建ipvs-eth子网卡; 5.flanneld创建同步所有节点docker子网路由表; 你好我是分享标题 我是作者名称 flannel vs calico 采用万兆网卡的虚拟机，测试方法是不同node节点开启qperf测试 结论： tcp延迟:calico-bgpcode k8s cluster 容器平台持续集成交付全流程 ci-cd效果 k8s运维管理平台-构建 k8s运维管理平台-容器管理 meta-server (eureka) config-server

@m1093782566 Kubernetes�Service�� Iptables��Service���� ��Iptables������� IPVS��Service���� Iptables vs. IPVS Kubernetes�Service ����onl��a�o� - ��������������t� - ���������� - �����IP�n������� - �������� Pod Pod Kubernetes�Service�� Iptables��Service���� ��iptables������� IPVS��Service���� Iptables vs. IPVS Iptables�:�� • �������������Netfilter���� Xtables ����linux������ ��E��Iptables��� Iptables����������� 3 4 Kubernetes�Service�� Iptables��Service���� ��iptables������� IPVS��Service���� Iptables vs. IPVS Iptables�������� • �B������ KUBE-SERVICES������KUBE-SVC-*������service��������� ��������O(N)